Vendor Resources

Handbooks and Policies

Information Security Resources

Data Use Agreement

A Data Use Agreement is required for all covered or governmental entities performing business associate functions or who access certain types of confidential information that have specific regulatory requirements for privacy, security and breach notification.

HHS agencies must request these entities to execute a Data Use Agreement to contractually bind the entity to regulatory requirements and enforcement capability should the entity fail to protect HHS confidential information.

Texas HHS Security and Privacy Inquiry

The Security and Privacy Inquiry questionnaire includes a list of minimum HHS information security and privacy requirements needed prior to accessing HHS confidential information. An external entity must be able to confirm all requirements are "in-place" before being considered eligible to conduct business with HHS (additional information security and privacy requirements may apply).

The Security and Privacy Inquiry (PDF) is required by federal and state law to demonstrate minimum compliance with privacy and security regulations.

It is an attachment to the Data Use Agreement and must be completed by the vendor prior to the Data Use Agreement being executed.

Supplemental Health Information Technology Guide

The Office of the National Coordinator publishes the Privacy and Security of Electronic Health Information Guide (PDF) to help healthcare providers (especially HIPAA covered entities and Medicare eligible professionals) better understand how to integrate federal health information privacy and security requirements into their practices.

Security Assessment Report and Attestation Guidance

The Security Assessment Report is used to identify and document the current risk level of HHS information resources and systems. This report details how the HHS information resources and systems comply with applicable HHS information security controls. External entities must also attest they are compliant with all HHS information security control requirements.

Completion of Cybersecurity Training for Contractors (as part of HB3834)

As defined in Section 2054.5192 of the Texas Government Code, HHS shall require any contractor with access to HHS information (data) resources and systems to complete a cybersecurity training program certified by the Department of Information Resources.

The Contractor Written Acknowledgement of Completion of Cybersecurity Training Program.  This form must be completed and returned to the appropriate contract manager every new fiscal year no later than April 30th.

Find more information on the HB3834 Information Security/Cybersecurity Training Requirement for Contractors FAQ (PDF).

HHS Authorization to Operate

Texas Administrative Code 202.26, mandates a senior organizational official formally accepts responsibility of any residual risk of an HHS information system and grants authorization to operate (ATO).

A Deputy Executive Commissioner signs the ATO after an HHS information system has undergone a risk and security assessment validating the system has met and passed all security and privacy requirements to become operational.

Vendor Information Systems

The Security Assessment Report and Attestation typically satisfies the documentation of compliance with all required information security controls necessary for an ATO.

While the actual documents of the authorization package are NOT necessarily required to be submitted to HHS during the ATO, each document MUST be available upon request.

Vendors must respond to a security documentation request (necessary to confirm compliance) within 10 business days of the official request from the contract manager.

Grant and HUB Resources

Grant resources may be found at For HUB resources, visit the HUB Procurement Resources page and the Toolkit for Business Development page.

DCS Service Delivery Resources

GlobalScape Navigation Help (PDF) — This document assists the SFTP (GlobalScape) user with general navigation while accessing the GlobalScape web transfer client.

Other Resources & Training

For video, recorded webinars and other training resources, visit the Vendor Training Center page.

Need More Help?

We are committed to working smart and working together for Texans. If you have additional questions about procurements, the procurement process, or need additional training, contact us at

Is there a resource missing? Contact Procurement and Contracting Communications at